Was watching this video and Mark Furneaux was talking about his router hardware change-out, quite boring tbh. He mentions the version 2.4 requirement for 64 bit processor (which I knew) and then he mentioned something about announcement by Netgate regarding forward / future compatibility with version 2.5 will require a CPU which supports AES-NI

Jump to 56 seconds in for the good bit ...

I thought this was worth highlighting as some currently popular choices e.g. Celeron may not support future updates beyond 2.4 which is think is due pretty soon, I think its a shame personally. I guess people who want to use old hardware will just end up using legacy versions or maybe some third party developer.

However, it looks like the Qotom Q310G4 (Celeron 3215U) has better cooling, but is otherwise similar, and is broadly the same price.This is what I had in mind, and was close to ordering, but it has no AES-NI support either.

Their Q330G4 (Core i3-4005U) does have AES-NI support, but it comes with a £50 premium over the similar Q310G4 model.

Using @Chrys' hint about the N3150 having AES-NI support, I can see Qotom have a Q150 model series that uses it ... but it only comes with 2 LAN ports, whereas all the ones above have 4.

I don't really have a need for 4 ports at the moment. Is anyone actively using more than 2 ports at the moment?

I don't really have a need for 4 ports at the moment. Is anyone actively using more than 2 ports at the moment?

I'm using a third port to separate WiFi access from the LAN.

Off Topic EDIT: Before switching to pfSense I used IPFire for about 8 months and for my needs was perfectly fine. I only moved to pfSense to see what all the fuss is about I'm now just to lazy to go back!

the backlash on pfsense forums caused a new explanation to be given, and people are saying they will move to opnsense.

The reasoning is the backend system for pfsense is moving to an encrypted commiunications model and apparently software based aes-gcm is vulnerable to side channel attacks, the pfsense lead dev did admit a workaround is to use chacha for non AESNI hardware but said a combination of making it harder for pfsense dev's and that it would cause too much load on pfsense servers for remote gui access means they wont persue that solution and the aesni requirement will remain. One of the big features basically will be that people will be able to control their pfsense firewalls on a centralised service offered by netgate.

Yes I be surprised if it was a completely free service. Monetization happens to a lot of stuff.

Note that pfsense we download and install is the "community edition" The one that is distributed to subscribers and pfsense hardware has some additional setup wizards but otherwise as far as I know has feature parity.

Netgate vs Community editionsFrom https://forum.pfsense.org/index.php?topic=88578.0The Amazon VPC VPN wizard is the only feature difference between the stock open source release and what ships on hardware from either store today. The primary difference for most people's purposes is that every box we sell is specifically tuned appropriately for that combination of hardware. That doesn't involve any differences in the software itself, rather how some of its tunables are configured.

Interestingly, the community and Netgate builds are apparently performed on different systems.

Number of portsIn most cases 2 ports are enough (WAN on one, LAN->switch->internal network).At home I use 3 ports, as I had a second WAN connection and still have some gear connected.

In my case, the current modem/router is plugged directly into a SamKnows box, which is then plugged into a 16-port switch - so I'm really only using the one LAN port.

That router also provides WiFi, but we only use it as a backup. The main WiFi comes from a standalone AP connected into the main switch ... and if I got around to it, I could use a separate VLAN for guest SSIDs.

Its a good question as to whether I would want a separate WAN connection, though.

Some USB Ethernet dongles are supported, potentially allowing you to tether a phone. The very cheap one I tried worked well enough to be be recognised, but was unable to see any access points. I'll probably try again at some point with better research for a suitable dongle.

A surer way, assuming you have a spare port, might be to plug in an Ethernet connected 3g/4g modem.